1243730Srwatson/*- 2243730Srwatson * Copyright (c) 2012 The FreeBSD Foundation 3243730Srwatson * All rights reserved. 4243730Srwatson * 5243730Srwatson * This software was developed by Pawel Jakub Dawidek under sponsorship from 6243730Srwatson * the FreeBSD Foundation. 7243730Srwatson * 8243730Srwatson * Redistribution and use in source and binary forms, with or without 9243730Srwatson * modification, are permitted provided that the following conditions 10243730Srwatson * are met: 11243730Srwatson * 1. Redistributions of source code must retain the above copyright 12243730Srwatson * notice, this list of conditions and the following disclaimer. 13243730Srwatson * 2. Redistributions in binary form must reproduce the above copyright 14243730Srwatson * notice, this list of conditions and the following disclaimer in the 15243730Srwatson * documentation and/or other materials provided with the distribution. 16243730Srwatson * 17243730Srwatson * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 18243730Srwatson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19243730Srwatson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20243730Srwatson * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 21243730Srwatson * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22243730Srwatson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23243730Srwatson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24243730Srwatson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25243730Srwatson * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26243730Srwatson * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27243730Srwatson * SUCH DAMAGE. 28243730Srwatson * 29243734Srwatson * $P4: //depot/projects/trustedbsd/openbsm/bin/auditdistd/sandbox.c#3 $ 30243730Srwatson */ 31243730Srwatson 32243734Srwatson#include <config/config.h> 33243730Srwatson 34243730Srwatson#include <sys/param.h> 35243730Srwatson#ifdef HAVE_JAIL 36243730Srwatson#include <sys/jail.h> 37243730Srwatson#endif 38243730Srwatson#ifdef HAVE_CAP_ENTER 39243730Srwatson#include <sys/capability.h> 40243730Srwatson#endif 41243730Srwatson 42243730Srwatson#include <errno.h> 43243730Srwatson#include <pwd.h> 44243730Srwatson#include <stdarg.h> 45243730Srwatson#include <stdbool.h> 46243730Srwatson#include <stdio.h> 47243730Srwatson#include <stdlib.h> 48243730Srwatson#include <strings.h> 49243730Srwatson#include <unistd.h> 50243730Srwatson 51243734Srwatson#include "pjdlog.h" 52243730Srwatson#include "sandbox.h" 53243730Srwatson 54243730Srwatsonstatic int 55243730Srwatsongroups_compare(const void *grp0, const void *grp1) 56243730Srwatson{ 57243730Srwatson gid_t gr0 = *(const gid_t *)grp0; 58243730Srwatson gid_t gr1 = *(const gid_t *)grp1; 59243730Srwatson 60243730Srwatson return (gr0 <= gr1 ? (gr0 < gr1 ? -1 : 0) : 1); 61243730Srwatson 62243730Srwatson} 63243730Srwatson 64243730Srwatsonint 65243730Srwatsonsandbox(const char *user, bool capsicum, const char *fmt, ...) 66243730Srwatson{ 67243730Srwatson#ifdef HAVE_JAIL 68243730Srwatson struct jail jailst; 69243730Srwatson char *jailhost; 70243730Srwatson va_list ap; 71243730Srwatson#endif 72243730Srwatson struct passwd *pw; 73243730Srwatson uid_t ruid, euid; 74243730Srwatson gid_t rgid, egid; 75243730Srwatson#ifdef HAVE_GETRESUID 76243730Srwatson uid_t suid; 77243730Srwatson#endif 78243730Srwatson#ifdef HAVE_GETRESGID 79243730Srwatson gid_t sgid; 80243730Srwatson#endif 81243730Srwatson gid_t *groups, *ggroups; 82243730Srwatson bool jailed; 83243730Srwatson int ngroups, ret; 84243730Srwatson 85243730Srwatson PJDLOG_ASSERT(user != NULL); 86243730Srwatson PJDLOG_ASSERT(fmt != NULL); 87243730Srwatson 88243730Srwatson ret = -1; 89243730Srwatson groups = NULL; 90243730Srwatson ggroups = NULL; 91243730Srwatson 92243730Srwatson /* 93243730Srwatson * According to getpwnam(3) we have to clear errno before calling the 94243730Srwatson * function to be able to distinguish between an error and missing 95243730Srwatson * entry (with is not treated as error by getpwnam(3)). 96243730Srwatson */ 97243730Srwatson errno = 0; 98243730Srwatson pw = getpwnam(user); 99243730Srwatson if (pw == NULL) { 100243730Srwatson if (errno != 0) { 101243730Srwatson pjdlog_errno(LOG_ERR, 102243730Srwatson "Unable to find info about '%s' user", user); 103243730Srwatson goto out; 104243730Srwatson } else { 105243730Srwatson pjdlog_error("'%s' user doesn't exist.", user); 106243730Srwatson errno = ENOENT; 107243730Srwatson goto out; 108243730Srwatson } 109243730Srwatson } 110243730Srwatson 111243730Srwatson ngroups = sysconf(_SC_NGROUPS_MAX); 112243730Srwatson if (ngroups == -1) { 113243730Srwatson pjdlog_errno(LOG_WARNING, 114243730Srwatson "Unable to obtain maximum number of groups"); 115243730Srwatson ngroups = NGROUPS_MAX; 116243730Srwatson } 117243730Srwatson ngroups++; /* For base gid. */ 118243730Srwatson groups = malloc(sizeof(groups[0]) * ngroups); 119243730Srwatson if (groups == NULL) { 120243730Srwatson pjdlog_error("Unable to allocate memory for %d groups.", 121243730Srwatson ngroups); 122243730Srwatson goto out; 123243730Srwatson } 124243730Srwatson if (getgrouplist(user, pw->pw_gid, groups, &ngroups) == -1) { 125243730Srwatson pjdlog_error("Unable to obtain groups of user %s.", user); 126243730Srwatson goto out; 127243730Srwatson } 128243730Srwatson 129243730Srwatson#ifdef HAVE_JAIL 130243730Srwatson va_start(ap, fmt); 131243730Srwatson (void)vasprintf(&jailhost, fmt, ap); 132243730Srwatson va_end(ap); 133243730Srwatson if (jailhost == NULL) { 134243730Srwatson pjdlog_error("Unable to allocate memory for jail host name."); 135243730Srwatson goto out; 136243730Srwatson } 137243730Srwatson bzero(&jailst, sizeof(jailst)); 138243730Srwatson jailst.version = JAIL_API_VERSION; 139243730Srwatson jailst.path = pw->pw_dir; 140243730Srwatson jailst.hostname = jailhost; 141243730Srwatson if (jail(&jailst) >= 0) { 142243730Srwatson jailed = true; 143243730Srwatson } else { 144243730Srwatson jailed = false; 145243730Srwatson pjdlog_errno(LOG_WARNING, 146243730Srwatson "Unable to jail to directory %s", pw->pw_dir); 147243730Srwatson } 148243730Srwatson free(jailhost); 149243730Srwatson#else /* !HAVE_JAIL */ 150243730Srwatson jailed = false; 151243730Srwatson#endif /* !HAVE_JAIL */ 152243730Srwatson 153243730Srwatson if (!jailed) { 154243730Srwatson if (chroot(pw->pw_dir) == -1) { 155243730Srwatson pjdlog_errno(LOG_ERR, 156243730Srwatson "Unable to change root directory to %s", 157243730Srwatson pw->pw_dir); 158243730Srwatson goto out; 159243730Srwatson } 160243730Srwatson } 161243730Srwatson PJDLOG_VERIFY(chdir("/") == 0); 162243730Srwatson 163243730Srwatson if (setgroups(ngroups, groups) == -1) { 164243730Srwatson pjdlog_errno(LOG_ERR, "Unable to set groups"); 165243730Srwatson goto out; 166243730Srwatson } 167243730Srwatson if (setgid(pw->pw_gid) == -1) { 168243730Srwatson pjdlog_errno(LOG_ERR, "Unable to set gid to %u", 169243730Srwatson (unsigned int)pw->pw_gid); 170243730Srwatson goto out; 171243730Srwatson } 172243730Srwatson if (setuid(pw->pw_uid) == -1) { 173243730Srwatson pjdlog_errno(LOG_ERR, "Unable to set uid to %u", 174243730Srwatson (unsigned int)pw->pw_uid); 175243730Srwatson goto out; 176243730Srwatson } 177243730Srwatson 178243730Srwatson#ifdef HAVE_CAP_ENTER 179243730Srwatson if (capsicum) { 180243730Srwatson capsicum = (cap_enter() == 0); 181243730Srwatson if (!capsicum) { 182243730Srwatson pjdlog_common(LOG_DEBUG, 1, errno, 183243730Srwatson "Unable to sandbox using capsicum"); 184243730Srwatson } 185243730Srwatson } 186243730Srwatson#else /* !HAVE_CAP_ENTER */ 187243730Srwatson capsicum = false; 188243730Srwatson#endif /* !HAVE_CAP_ENTER */ 189243730Srwatson 190243730Srwatson /* 191243730Srwatson * Better be sure that everything succeeded. 192243730Srwatson */ 193243730Srwatson#ifdef HAVE_GETRESUID 194243730Srwatson PJDLOG_VERIFY(getresuid(&ruid, &euid, &suid) == 0); 195243730Srwatson PJDLOG_VERIFY(suid == pw->pw_uid); 196243730Srwatson#else 197243730Srwatson ruid = getuid(); 198243730Srwatson euid = geteuid(); 199243730Srwatson#endif 200243730Srwatson PJDLOG_VERIFY(ruid == pw->pw_uid); 201243730Srwatson PJDLOG_VERIFY(euid == pw->pw_uid); 202243730Srwatson#ifdef HAVE_GETRESGID 203243730Srwatson PJDLOG_VERIFY(getresgid(&rgid, &egid, &sgid) == 0); 204243730Srwatson PJDLOG_VERIFY(sgid == pw->pw_gid); 205243730Srwatson#else 206243730Srwatson rgid = getgid(); 207243730Srwatson egid = getegid(); 208243730Srwatson#endif 209243730Srwatson PJDLOG_VERIFY(rgid == pw->pw_gid); 210243730Srwatson PJDLOG_VERIFY(egid == pw->pw_gid); 211243730Srwatson PJDLOG_VERIFY(getgroups(0, NULL) == ngroups); 212243730Srwatson ggroups = malloc(sizeof(ggroups[0]) * ngroups); 213243730Srwatson if (ggroups == NULL) { 214243730Srwatson pjdlog_error("Unable to allocate memory for %d groups.", 215243730Srwatson ngroups); 216243730Srwatson goto out; 217243730Srwatson } 218243730Srwatson PJDLOG_VERIFY(getgroups(ngroups, ggroups) == ngroups); 219243730Srwatson qsort(groups, (size_t)ngroups, sizeof(groups[0]), groups_compare); 220243730Srwatson qsort(ggroups, (size_t)ngroups, sizeof(ggroups[0]), groups_compare); 221243730Srwatson PJDLOG_VERIFY(bcmp(groups, ggroups, sizeof(groups[0]) * ngroups) == 0); 222243730Srwatson 223243730Srwatson pjdlog_debug(1, 224243730Srwatson "Privileges successfully dropped using %s%s+setgid+setuid.", 225243730Srwatson capsicum ? "capsicum+" : "", jailed ? "jail" : "chroot"); 226243730Srwatson 227243730Srwatson ret = 0; 228243730Srwatsonout: 229243730Srwatson if (groups != NULL) 230243730Srwatson free(groups); 231243730Srwatson if (ggroups != NULL) 232243730Srwatson free(ggroups); 233243730Srwatson return (ret); 234243730Srwatson} 235